Kaspersky Endpoint Security 12 for Windows

Enabling and disabling Mail Threat Protection

8 July 2024

ID 128208

By default, the Mail Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. For Mail Threat Protection, Kaspersky Endpoint Security applies different groups of settings. These groups of settings that are stored in the application are called security levels: High, Recommended, Low. The Recommended mail security level settings are considered to be the optimal settings recommended by Kaspersky experts (see the table below). You can select one of the pre-installed email security levels or configure a custom email security level. If you have changed the email security level settings, you can always revert to the recommended email security level settings.

When working with the Mozilla Thunderbird mail client, the Mail Threat Protection component does not scan messages that are transmitted via the IMAP protocol for viruses and other threats if filters are used to move messages from the Inbox folder.

To enable or disable the Mail Threat Protection component:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Essential Threat ProtectionMail Threat Protection.
  3. Use the Mail Threat Protection toggle to enable or disable the component.
  4. If you enabled the component, do one of the following in the Security level block:
    • If you want to apply one of the preset security levels, select it with the slider:
      • High. When this email security level is selected, the Mail Threat Protection component scans email messages most thoroughly. The Mail Threat Protection component scans incoming and outgoing email messages, and performs deep heuristic analysis. The High mail security level is recommended for high-risk environments. An example of such an environment is a connection to a free email service from a home network that is not guarded by centralized email protection.
      • Recommended. The email security level that provides the optimal balance between the performance of Kaspersky Endpoint Security and email security. The Mail Threat Protection component scans incoming and outgoing email messages, and performs medium-level heuristic analysis. This mail traffic security level is recommended by Kaspersky specialists. The values of settings for the recommended security level are provided in the table below.
      • Low. When this email security level is selected, the Mail Threat Protection component only scans incoming email messages, performs light heuristic analysis, and does not scan archives that are attached to email messages. At this mail security level, the Mail Threat Protection component scans email messages at maximum speed and uses a minimum of operating system resources. The Low mail security level is recommended for use in a well-protected environment. An example of such an environment might be an enterprise LAN with centralized email security.
    • If you want to configure a custom security level, click the Advanced Settings button and define your own component settings.

      You can restore the values of preset security levels by clicking the Restore recommended security level button.

  5. Save your changes.

    Mail Threat Protection settings recommended by Kaspersky experts (recommended security level)




    Protection scope

    Incoming and outgoing messages

    The Protection scope includes objects that the component checks when it is run: incoming and outgoing messages or incoming messages only.

    In order to protect your computers, you need only scan incoming messages. You can turn on scanning for outgoing messages to prevent infected files from being sent in archives. You can also turn on the scanning of outgoing messages if you want to prevent files in particular formats from being sent, such as audio and video files, for example.

    Connect Microsoft Outlook extension


    If the check box is selected, scanning of email messages transmitted via the POP3, SMTP, NNTP, IMAP protocols is enabled on the side of the extension integrated into Microsoft Outlook.

    If mail is scanned using the extension for Microsoft Outlook, it is recommended to use Cached Exchange Mode. For more detailed information about Cached Exchange Mode and recommendations on its use, refer to the Microsoft Knowledge Base.

    Scan attached archives


    Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The application scans archives not only by extension, but also by format. When checking archives, the application performs a recursive unpacking. This allows to detect threats inside multi-level archives (archive within an archive).

    Scan attached files of Microsoft Office formats


    Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well. Kaspersky Endpoint Security scans office format files that are smaller than 1 MB, regardless of whether the check box is selected or not.

    Attachment filter

    Rename attachments of selected types

    If this option is selected, the Mail Threat Protection component will replace the last extension character found in the attached files of the specified types with the underscore character (for example, attachment.doc_). Thus, in order to open the file, the user must rename the file.

    Heuristic analysis

    Medium scan

    The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

    When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.

    Action on threat detection

    Disinfect, delete if disinfection fails

    When an infected object is detected in an inbound or outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security deletes the infected object. Kaspersky Endpoint Security adds information about the performed action to the message subject, for example, [Message has been processed] <message subject>.


Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.